Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Farbar log


  • Please log in to reply
9 replies to this topic

#1 Viveca

Viveca

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 12 April 2018 - 04:59 AM

Hi,

 

I suspect someone has installed a Trojan on my computer, Could you please check my Farbar log.

 

Kind regards,

 

Vivcea

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by Kattis (administrator) on DESKTOP-RD003HP (12-04-2018 07:28:04)
Running from D:\
Loaded Profiles: Kattis (Available Profiles: Kattis)
Platform: Windows 10 Home Version 1709 16299.251 (X64) Language: Svenska (Sverige)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\SAII\CxUtilSvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fsorsp64.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\nalserv.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\nlssrv32.exe
(Realtek Semiconductor Corp.) C:\Windows\RtkBtManServ.exe
(Conexant Systems, Inc.) C:\Windows\System32\SASrv.exe
(SDL) C:\Program Files (x86)\SDL\SDL Trados Studio\Studio3\ProductTelemetricsService\Sdl.Desktop.ProductTelemetrics.Host.Windows.exe
() C:\Program Files\WinZip\WinZip Smart Monitor\WinZip Compression Smart Monitor Service.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fshoster64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(AMD) C:\Windows\System32\atieclxx.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1807.264.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(ASUSTeK COMPUTER INC.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(Corel Corporation) C:\Program Files\WinZip\WinZip Smart Monitor\WinZipCompressionSmartMonitor.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
(Conexant Systems, Inc) C:\Program Files\CONEXANT\SAII\SmartAudio.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKU\S-1-5-21-997193239-2899253090-1109805270-1001\...\RunOnce: [Application Restart #1] => C:\Program Files (x86)\ASUS\Giftbox\Asusgiftbox.exe [1049608 2017-07-03] (ASUSTek Computer Inc)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 82.209.169.71 82.209.169.72
Tcpip\..\Interfaces\{632584ac-cda9-476a-95e0-5a322e3d28c0}: [DhcpNameServer] 10.66.80.1
Tcpip\..\Interfaces\{aa3cd9c7-ec94-47d8-8f5a-cbc60955c13f}: [DhcpNameServer] 82.209.169.71 82.209.169.72

Internet Explorer:
==================
HKU\S-1-5-21-997193239-2899253090-1109805270-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus17win10.msn.com/?pc=ASTE
BHO: Browsing Protection by F-Secure -> {45BBE08D-81C5-4A67-AF20-B2A077C67747} -> C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\nif\1520854327\browser\install\fs_ie_https\fs_ie_https64.dll [2018-03-12] (F-Secure Corporation)
BHO: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll => No File
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2018-03-01] (Microsoft Corporation)
BHO-x32: Browsing Protection by F-Secure -> {45BBE08D-81C5-4A67-AF20-B2A077C67747} -> C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\nif\1520854327\browser\install\fs_ie_https\fs_ie_https.dll [2018-03-12] (F-Secure Corporation)
BHO-x32: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll => No File
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-01] (Microsoft Corporation)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File

FireFox:
========
FF DefaultProfile: 59f1pyqa.default
FF ProfilePath: C:\Users\sanne\AppData\Roaming\Mozilla\Firefox\Profiles\59f1pyqa.default [2018-04-03]
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\e10ssaffplg.xpi => not found
FF HKLM\...\Firefox\Extensions: [ols@f-secure.com] - C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\nif\1520854327\browser\install\fs_firefox_https\fs_firefox_https.xpi
FF Extension: (Browsing Protection by F-Secure) - C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\nif\1520854327\browser\install\fs_firefox_https\fs_firefox_https.xpi [2018-03-12]
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\e10ssaffplg.xpi => not found
FF HKLM-x32\...\Firefox\Extensions: [ols@f-secure.com] - C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\nif\1520854327\browser\install\fs_firefox_https\fs_firefox_https.xpi
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-03-01] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2018-03-01] (Microsoft Corporation)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [jmjjnhpacphpjmnnlnccpfmhkcloaade] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jmjjnhpacphpjmnnlnccpfmhkcloaade] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7962800 2018-02-22] (Microsoft Corporation)
R2 CxUtilSvc; C:\Program Files\Conexant\SAII\CxUtilSvc.exe [139864 2017-03-23] (Conexant Systems, Inc.)
R2 fshoster; C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe [177120 2017-11-28] (F-Secure Corporation)
R2 fsnethoster; C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe [177120 2017-11-28] (F-Secure Corporation)
R2 fsulhoster; C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fshoster64.exe [569312 2018-03-12] (F-Secure Corporation)
R2 fsulorsp; C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fsorsp64.exe [78304 2018-03-12] (F-Secure Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6440736 2018-03-03] (Malwarebytes)
R2 McAfee SiteAdvisor Service; c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [604312 2018-01-19] (McAfee, Inc.)
R2 NalServ; C:\Windows\SysWOW64\nalserv.exe [147056 2014-11-07] (Nalpeiron Ltd.)
R2 RtkBtManServ; C:\WINDOWS\RtkBtManServ.exe [293344 2017-07-11] (Realtek Semiconductor Corp.)
R2 SAService; C:\WINDOWS\system32\SAsrv.exe [416576 2016-10-27] (Conexant Systems, Inc.)
R2 Sdl.Studio.ProductTelemetrics.v1; C:\Program Files (x86)\SDL\SDL Trados Studio\Studio3\ProductTelemetricsService\Sdl.Desktop.ProductTelemetrics.Host.Windows.exe [12800 2014-10-31] (SDL) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [355304 2017-09-29] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [105944 2017-09-29] (Microsoft Corporation)
R2 WinZip Compression Smart Monitor Service; C:\Program Files\WinZip\WinZip Smart Monitor\WinZip Compression Smart Monitor Service.exe [495872 2017-09-01] ()
S4 mccspsvc; "C:\Program Files\Common Files\McAfee\CSP\2.7.371.0\\McCSPServiceHost.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 amdgpio2; C:\WINDOWS\System32\drivers\amdgpio2.sys [34704 2016-08-13] (Advanced Micro Devices, Inc)
R3 amdi2c; C:\WINDOWS\System32\drivers\amdi2c.sys [54160 2016-09-14] (Advanced Micro Devices, Inc)
S3 amdkmcsp; C:\WINDOWS\system32\DRIVERS\amdkmcsp.sys [101232 2017-06-16] (Advanced Micro Devices, Inc. )
R3 amdkmdag; C:\WINDOWS\System32\DriverStore\FileRepository\c0318486.inf_amd64_11ba0b4b7cc81d52\atikmdag.sys [38774688 2017-10-13] (Advanced Micro Devices, Inc.)
R3 amdkmdap; C:\WINDOWS\System32\DriverStore\FileRepository\c0318486.inf_amd64_11ba0b4b7cc81d52\atikmpag.sys [549792 2017-10-13] (Advanced Micro Devices, Inc.)
R0 amdkmpfd; C:\WINDOWS\System32\drivers\amdkmpfd.sys [106416 2017-10-13] (Advanced Micro Devices, Inc.)
R0 amdpsp; C:\WINDOWS\System32\DRIVERS\amdpsp.sys [243048 2017-06-16] (Advanced Micro Devices, Inc. )
R3 amduart; C:\WINDOWS\System32\drivers\amduart.sys [91672 2016-08-13] (Advanced Micro Devices, Inc)
R3 AsusTP; C:\WINDOWS\System32\drivers\AsusTP.sys [101872 2017-05-24] (ASUS Corporation)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [101376 2016-12-08] (Advanced Micro Devices)
S3 AX88179; C:\WINDOWS\System32\drivers\ax88179_178a.sys [74240 2017-09-29] (ASIX Electronics Corp.)
R3 F-Secure Gatekeeper; C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fsulgk.sys [230248 2018-03-12] (F-Secure Corporation)
R1 F-Secure UL HIPS; C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fshs.sys [93032 2018-03-12] (F-Secure Corporation)
R0 fsbts; C:\WINDOWS\System32\drivers\fsbts.sys [73928 2018-03-12] ()
R3 fsni; C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\nif\1520854327\fsni64.sys [117576 2018-03-12] (F-Secure Corporation)
R3 HIDSwitch; C:\WINDOWS\System32\drivers\AsRadioControl.sys [31120 2016-12-19] (ASUS)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253664 2018-03-24] (Malwarebytes)
R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [111608 2017-02-14] (McAfee, Inc.)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [898296 2016-01-13] (Realtek )
R3 RtkBtFilter; C:\WINDOWS\system32\DRIVERS\RtkBtfilter.sys [724448 2017-07-11] (Realtek Semiconductor Corporation)
R3 RTWlanE; C:\WINDOWS\System32\drivers\rtwlane.sys [6907240 2017-07-18] (Realtek Semiconductor Corporation )
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44608 2017-09-29] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [309144 2017-09-29] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [119192 2017-09-29] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-04-08 09:00 - 2018-04-12 07:28 - 000000000 ____D C:\FRST
2018-03-24 17:54 - 2018-03-24 17:54 - 000012331 _____ C:\Users\sanne\Desktop\hijackthis_med backupfiler
2018-03-24 17:45 - 2018-04-12 07:19 - 000000000 ____D C:\Users\sanne\Desktop\Back up ASUS 2018-01-06
2018-03-24 17:03 - 2018-03-24 17:03 - 000000000 ____D C:\WINDOWS\System32\Tasks\S-1-5-21-997193239-2899253090-1109805270-1001
2018-03-21 18:08 - 2018-03-21 18:08 - 000012291 _____ C:\Users\sanne\Desktop\hijackthis_3.txt
2018-03-21 18:06 - 2018-03-21 15:48 - 000000215 _____ C:\Users\sanne\Desktop\Malawarebytes.txt
2018-03-21 18:05 - 2018-03-21 12:39 - 000388608 _____ (Trend Micro Inc.) C:\Users\sanne\Desktop\HijackThis.exe
2018-03-21 18:04 - 2018-03-23 21:59 - 000012092 _____ C:\Users\sanne\Desktop\hijackthis_run as admin.txt
2018-03-21 15:39 - 2018-03-24 17:19 - 000253664 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2018-03-21 15:39 - 2018-03-21 15:39 - 000001914 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-03-21 15:39 - 2018-03-21 15:39 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-03-21 15:38 - 2018-03-21 15:38 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-03-21 15:38 - 2018-03-21 15:38 - 000000000 ____D C:\Program Files\Malwarebytes
2018-03-21 15:38 - 2018-01-18 10:03 - 000076200 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2018-03-14 13:42 - 2018-03-21 16:34 - 000000000 ____D C:\Users\sanne\Desktop\24.se
2018-03-14 13:39 - 2018-04-03 10:00 - 000000000 ____D C:\Users\sanne\Desktop\Deklaration för 2017

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-04-12 07:20 - 2018-02-26 14:24 - 000000182 _____ C:\Users\sanne\AppData\Roaming\sp_data.sys
2018-04-11 13:46 - 2017-09-29 15:46 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-04-11 13:38 - 2018-03-05 15:29 - 000003550 _____ C:\WINDOWS\System32\Tasks\ASUS Live Update1
2018-04-11 13:38 - 2018-03-05 15:29 - 000003540 _____ C:\WINDOWS\System32\Tasks\ASUS Live Update2
2018-04-08 09:02 - 2018-03-05 15:23 - 000000000 ____D C:\Users\sanne\AppData\Local\Packages
2018-04-08 09:01 - 2018-03-12 13:15 - 000000000 ____D C:\Users\sanne\Desktop\Admin
2018-04-08 08:58 - 2018-03-05 15:17 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-04-03 17:26 - 2018-02-26 14:27 - 000000000 ____D C:\Users\sanne\AppData\LocalLow\Mozilla
2018-03-29 19:00 - 2017-09-29 15:46 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2018-03-24 17:23 - 2018-03-05 15:31 - 001893396 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-03-24 17:23 - 2017-09-30 16:10 - 000811192 _____ C:\WINDOWS\system32\perfh01D.dat
2018-03-24 17:23 - 2017-09-30 16:10 - 000169694 _____ C:\WINDOWS\system32\perfc01D.dat
2018-03-24 17:19 - 2018-03-05 15:29 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-03-24 17:18 - 2018-02-26 14:26 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-03-24 17:18 - 2018-02-26 14:26 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-03-24 17:18 - 2017-11-29 22:55 - 000065536 _____ C:\WINDOWS\psp_storage.bin
2018-03-24 17:18 - 2017-09-29 10:45 - 000786432 _____ C:\WINDOWS\system32\config\BBI
2018-03-21 13:06 - 2017-09-29 15:46 - 000000000 ___HD C:\Program Files\WindowsApps
2018-03-21 12:59 - 2018-02-26 14:21 - 000000000 ____D C:\Users\sanne\AppData\Local\VirtualStore
2018-03-21 12:58 - 2018-03-05 15:15 - 000000000 ____D C:\Windows.old
2018-03-21 10:48 - 2017-09-29 15:44 - 000000000 ____D C:\WINDOWS\INF
2018-03-15 16:47 - 2018-02-26 14:23 - 000000000 ___RD C:\Users\sanne\OneDrive
2018-03-15 09:34 - 2017-09-29 15:46 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-03-14 18:11 - 2018-02-26 14:26 - 000001007 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-03-14 16:25 - 2018-03-07 16:59 - 000000000 ____D C:\Users\sanne\Desktop\2018-03-08
2018-03-14 11:02 - 2018-02-27 12:04 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-03-14 11:02 - 2017-09-29 15:37 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-03-14 11:01 - 2018-02-27 12:04 - 130364688 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2018-03-14 11:00 - 2018-02-27 12:04 - 130364688 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-03-13 13:09 - 2018-03-12 14:56 - 000000000 ____D C:\Users\sanne\Desktop\More than Words

==================== Files in the root of some directories =======

2018-02-26 14:24 - 2018-04-12 07:20 - 000000182 _____ () C:\Users\sanne\AppData\Roaming\sp_data.sys

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-04-02 20:32

==================== End of FRST.txt ============================

 

 

And addition file -

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Kattis (12-04-2018 07:28:59)
Running from D:\
Windows 10 Home Version 1709 16299.251 (X64) (2018-03-05 13:30:49)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administratör (S-1-5-21-997193239-2899253090-1109805270-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-997193239-2899253090-1109805270-503 - Limited - Disabled)
Gäst (S-1-5-21-997193239-2899253090-1109805270-501 - Limited - Disabled)
Kattis (S-1-5-21-997193239-2899253090-1109805270-1001 - Administrator - Enabled) => C:\Users\sanne
WDAGUtilityAccount (S-1-5-21-997193239-2899253090-1109805270-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: F-Secure (Enabled - Out of date) {35BE5FA4-2DEA-00F8-DC55-FD8AF743F44F}
AS: F-Secure (Enabled - Out of date) {8EDFBE40-0BD0-0F76-E6E5-C6F88CC4BEF2}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AMD Settings (HKLM\...\WUCCCApp) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.)
AMD Software (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.8 - Advanced Micro Devices, Inc.)
ASUS GIFTBOX (HKLM-x32\...\ASUS GIFTBOX) (Version: 7.5.24 - ASUSTek Computer Inc)
ASUS Live Update (HKLM-x32\...\{FA540E67-095C-4A1B-97BA-4D547DEC9AF4}) (Version: 3.4.3 - ASUS)
ASUS Smart Gesture (HKLM-x32\...\{4D3286A6-F6AB-498A-82A4-E4F040529F3D}) (Version: 4.0.19 - ASUS)
ASUS Splendid Video Enhancement Technology (HKLM-x32\...\{0969AF05-4FF6-4C00-9406-43599238DE0D}) (Version: 3.20.0001 - ASUS)
ATK Package (HKLM-x32\...\{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}) (Version: 1.0.0043 - ASUS)
AudioWizard (HKLM-x32\...\{57E770A2-2BAF-4CAA-BAA3-BD896E2254D3}) (Version: 1.0.1.3 - ICEpower a/s)
Catalyst Control Center Next Localization BR (HKLM\...\{A16E186C-58C4-3BDC-5CCE-714EFEF5F27F}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (HKLM\...\{E42911E5-48F8-8557-ED20-D72AD1907D25}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (HKLM\...\{B4C30EF4-B2C5-1395-B534-7B63BCB6E8E4}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (HKLM\...\{62098A5F-E03B-31A3-5F9C-51A7F7D25744}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (HKLM\...\{1757AD9B-0E3C-05F9-FE43-4343BED7DA85}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (HKLM\...\{66B06F29-EE4F-9130-D96A-754826093FEA}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (HKLM\...\{821D0A0E-F246-BE40-0D68-93883C14C410}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (HKLM\...\{88BD74C4-23AB-4554-915C-6E1F0C81F6CD}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (HKLM\...\{A48E2AB0-0866-7783-9657-E1709EB18D02}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (HKLM\...\{E61CEF9A-BAC3-EAEE-F735-E257D2354DF2}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (HKLM\...\{DA0326BB-657D-AAFC-752C-363E8FA33755}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (HKLM\...\{B873A1FB-5EA0-EE5F-A861-1E38880AD08E}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (HKLM\...\{EC9DF9FF-9D75-4CDD-1D58-A2E887B0A42E}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (HKLM\...\{7ABACA7E-6E59-0EF9-8FA3-6B32E5F58127}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (HKLM\...\{3E196AAF-F81C-B384-E2AB-28EE2398FE5F}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (HKLM\...\{DAEFFE0C-CD05-1355-6AFC-7B3D4106A820}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (HKLM\...\{E392A425-53A7-DF90-96A0-E287A75DD3B2}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (HKLM\...\{D6F47BB4-700A-F612-0671-5F69EA311BB7}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (HKLM\...\{01FD9A26-3F61-9236-B360-BE5D043D82C0}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (HKLM\...\{64D4CCC3-63DF-252D-D29D-03491670225D}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (HKLM\...\{8DF90937-B869-9F76-5D45-5A8BDA0A33B6}) (Version: 2017.0922.1659.28737 - Advanced Micro Devices, Inc.) Hidden
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
Computer Security 17.204.106.0 (release) (HKLM-x32\...\{658FDBCA-B7A1-43E4-A849-9F0812473331}) (Version: 17.204.106.0 - F-Secure Corporation) Hidden
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.66.64.53 - Conexant)
Device Setup (HKLM-x32\...\{8D6B05E0-F457-408C-9D13-549334D8FAE1}) (Version: 2.2.7 - ASUSTek COMPUTER INC.)
F-Secure (HKLM-x32\...\{5B2DB883-3BBC-4BC7-8CB4-93DA19DE75B2}) (Version: 3.04.148.0 - F-Secure Corporation) Hidden
F-Secure (HKLM-x32\...\F-Secure ServiceEnabler 666) (Version: 3.04.148.0 - F-Secure Corporation)
F-Secure Ultralight 1.1.14.0 (release) (HKLM-x32\...\{55079DAB-EB0E-4946-8AC2-64CD27AA3146}) (Version: 1.1.14.0 - F-Secure Corporation) Hidden
Malwarebytes version 3.4.4.2398 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.4.2398 - Malwarebytes)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.163 - McAfee, Inc.)
Microsoft Office Home and Student 2016 - sv-se (HKLM\...\HomeStudentRetail - sv-se) (Version: 16.0.9029.2167 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-997193239-2899253090-1109805270-1001\...\OneDriveSetup.exe) (Version: 18.025.0204.0009 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft WSE 2.0 SP3 Runtime (HKLM-x32\...\{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}) (Version: 2.0.5050.0 - Microsoft Corp.)
Mozilla Firefox 59.0 (x64 en-US) (HKLM\...\Mozilla Firefox 59.0 (x64 en-US)) (Version: 59.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 58.0.2 - Mozilla)
OEM Application Profile (HKLM-x32\...\{B4B7FD8F-06FC-E277-4F29-8F75F8281D8F}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-041D-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Online Safety 2.204.7118.12 (HKLM-x32\...\{86CBD388-8B4D-4275-9872-60F6BF7211FA}) (Version: 2.204.7118.12 - F-Secure Corporation) Hidden
Open XML SDK 2.0 for Microsoft Office (HKLM-x32\...\{171D8D76-3F05-455A-A8AF-C561C2679905}) (Version: 2.0.5022 - Microsoft Corporation)
REALTEK Bluetooth Filter Driver (HKLM-x32\...\{9D3D8C60-A5EF-4123-B2B9-172095903AD}) (Version: 1.4.1000.170710 - REALTEK Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 10.3.723.2015 - Realtek)
Realtek PCI-E Wireless LAN Driver (HKLM-x32\...\InstallShield_{70714FB7-4084-4202-A599-2D5935DECB67}) (Version: Drv_3.00.0017 - REALTEK Semiconductor Corp.)
SDL Trados 2014 SP2 - Remove suite of products (HKLM-x32\...\TranslationStudio2014) (Version: 3.2.4322 - SDL)
SDL Trados Legacy Compatibility Module for Studio 2014 (HKLM-x32\...\{7F8F4AF6-0CE2-46E9-BA14-C55F19968926}) (Version: 2.1.128 - SDL)
SDL Trados Studio 2014 SP2 (HKLM-x32\...\{47EA73FD-3EA0-48FC-B5CE-662FFC6E91D7}) (Version: 3.2.4322 - SDL)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{E345A108-D9E8-456B-9550-435132D5C9CE}) (Version: 2.13.0.0 - Microsoft Corporation)
UpdateAssistant (HKLM\...\{567756E0-361F-4E88-AF74-8B0E4628E5BC}) (Version: 1.12.0.0 - Microsoft Corporation) Hidden
Windows Driver Package - ASUS (AsusTP) Mouse  (04/10/2017 1.0.0.296) (HKLM\...\CE3B2AC6A7CFF15EC85D2C007B1B4143383541C1) (Version: 04/10/2017 1.0.0.296 - ASUS)
Windows Setup Remediations (x64) (KB4023057) (HKLM\...\{5534e02f-0f5d-40dd-ba92-bea38d22384d}.sdb) (Version:  - )
WinFlash (HKLM-x32\...\{8F21291E-0444-4B1D-B9F9-4370A73E346D}) (Version: 3.2.2 - ASUSTeK COMPUTER INC.)
WinZip 22.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C24115}) (Version: 22.0.12670 - Corel Corporation)
Vulkan Run Time Libraries 1.0.37.0 (HKLM\...\VulkanRT1.0.37.0) (Version: 1.0.37.0 - LunarG, Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-997193239-2899253090-1109805270-1001_Classes\CLSID\{CB2B673F-D441-4CD4-AFBE-DC4037CA4220}\InprocServer32 -> C:\Program Files\WinZip\adxloader64.WinZipExpressForOffice.dll ()
ContextMenuHandlers1-x32: [TranslationStudioShlExt2011] -> {F6C08E19-DCE1-45B5-A225-E94FADB585DD} => C:\Program Files (x86)\SDL\SDL Trados Studio\Studio3\TranslationStudioExt.dll [2014-11-11] (TODO: <Company name>)
ContextMenuHandlers1-x32: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshls64.dll [2017-11-03] (WinZip Computing, S.L.)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-03] (Malwarebytes)
ContextMenuHandlers4: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshls64.dll [2017-11-03] (WinZip Computing, S.L.)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files\AMD\CNext\CNext\atiacm64.dll [2017-09-22] (Advanced Micro Devices, Inc.)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-03] (Malwarebytes)
ContextMenuHandlers6: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshls64.dll [2017-11-03] (WinZip Computing, S.L.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0D0A433A-CD3E-42FB-9FA4-D31A3BFC843F} - System32\Tasks\ASUS Splendid ACMON => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [2017-05-24] (ASUS)
Task: {112737E6-A2DC-4B36-AD28-B0043B283F0D} - System32\Tasks\ATK Package A22126881260 => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\SimAppExec.exe [2015-09-22] (ASUSTek Computer Inc.)
Task: {1229BEC1-7A67-4EBA-A630-97F798522721} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-03-01] (Microsoft Corporation)
Task: {20745C92-43C5-497F-B7E8-3DFB1A8B4D67} - System32\Tasks\ATK Package 36D18D69AFC3 => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\SimAppExec.exe [2015-09-22] (ASUSTek Computer Inc.)
Task: {26637BA7-435D-4EAD-A7FD-807D71369169} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-02-22] (Microsoft Corporation)
Task: {2DC194BA-CADD-41EB-A3C4-235F9044DA60} - System32\Tasks\ASUS\ASUS Product Register Service => C:\Program Files (x86)\ASUS\APRP\aprp.exe [2016-11-09] (ASUSTek COMPUTER INC.)
Task: {37E9B3B4-7532-4EB2-8475-1310B6DF7026} - System32\Tasks\S-1-5-21-997193239-2899253090-1109805270-1001\DataSenseLiveTileTask => C:\WINDOWS\System32\DataUsageLiveTileTask.exe [2017-09-29] (Microsoft Corporation)
Task: {6CB0E9B1-ADE3-4F56-8B8E-78C48AF907A1} - System32\Tasks\ASUS Live Update2 => C:\Program Files (x86)\ASUS\ASUS Live Update\UpdateChecker.exe [2016-08-01] ()
Task: {7A06B7CD-51F6-408B-A2AF-5D6419726084} - System32\Tasks\Microsoft\Windows\Conexant\SA2 => C:\Program Files\CONEXANT\SAII\SACpl.exe [2016-08-29] (Conexant Systems, Inc.)
Task: {A5EDCE25-DCBD-476A-B7D7-12E48BE0D2CE} - System32\Tasks\ASUS Smart Gesture Launcher => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLauncher.exe [2017-05-24] (AsusTek)
Task: {A6DEA21D-9ED7-45F3-A8B0-F475AC6D394E} - System32\Tasks\Update Checker => C:\Program Files (x86)\ASUS\ASUS Live Update\UpdateChecker.exe [2016-08-01] ()
Task: {AD4ED1BE-EE90-4733-961F-2DDA2C4D21AC} - System32\Tasks\ASUSTek Computer Inc\ASUS GIFTBOX => C:\Program Files (x86)\ASUS\Giftbox\asusgiftbox.exe [2017-07-03] (ASUSTek Computer Inc)
Task: {B8DC580D-FCE9-43BA-AD57-CE4AC3C0AACB} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-03-01] (Microsoft Corporation)
Task: {B9EA03C5-24BC-4634-86D1-82343F3F87BD} - System32\Tasks\Microsoft\Windows\Conexant\AFA => C:\Program Files\CONEXANT\cAudioFilterAgent\SACpl.exe [2016-07-05] (Conexant Systems, Inc.)
Task: {CAE80831-EC5E-46E0-A5EF-B6069B53E971} - System32\Tasks\ASUS Live Update1 => C:\Program Files (x86)\ASUS\ASUS Live Update\UpdateChecker.exe [2016-08-01] ()
Task: {CD13BCB8-E93D-464F-921B-D62FBE20848E} - System32\Tasks\StartCN => C:\Program Files\AMD\CNext\CNext\cncmd.exe [2017-09-22] (Advanced Micro Devices, Inc.)
Task: {FC55EE6F-86A4-4DBE-AF24-EEFA7461AFA9} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-02-22] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


ShortcutWithArgument: C:\Users\sanne\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7634a48803fa655b\ASUS GIFTBOX.lnk -> C:\Program Files (x86)\ASUS\Giftbox\Asusgiftbox.exe (ASUSTek Computer Inc) -> --user-data-dir="C:\Users\sanne\AppData\Local\ASUS GIFTBOX\User Data" --profile-directory=Default --app-id=gicdkbgeaegfghgkdgaejkfeppmlobel

==================== Loaded Modules (Whitelisted) ==============

2018-03-12 11:05 - 2018-03-12 11:05 - 000331744 _____ () C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\daas2_x64.dll
2017-09-01 13:15 - 2017-09-01 13:15 - 000495872 _____ () C:\Program Files\WinZip\WinZip Smart Monitor\WinZip Compression Smart Monitor Service.exe
2018-03-12 11:05 - 2018-03-12 11:05 - 000319968 _____ () C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\senddump_fshoster_plugin64.dll
2018-03-21 15:38 - 2018-02-05 16:44 - 002299168 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2017-09-29 15:41 - 2017-09-29 15:41 - 000184432 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2018-03-06 18:23 - 2018-02-22 02:26 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2018-03-06 18:22 - 2018-02-22 02:21 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-02-27 13:14 - 2018-02-27 13:14 - 000086528 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1807.264.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2018-02-27 13:14 - 2018-02-27 13:14 - 000195072 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1807.264.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2018-02-27 13:14 - 2018-02-27 13:14 - 021824000 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1807.264.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2018-02-27 13:14 - 2018-02-27 13:14 - 002529792 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1807.264.0_x64__kzf8qxf38zg5c\skypert.dll
2018-02-27 13:14 - 2018-02-27 13:14 - 000649216 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1807.264.0_x64__kzf8qxf38zg5c\RtmMvrUap.dll
2016-09-13 03:01 - 2016-09-13 03:01 - 000014336 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick.2\qtquick2plugin.dll
2016-09-13 03:01 - 2016-09-13 03:01 - 000739840 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Controls\qtquickcontrolsplugin.dll
2016-09-13 03:01 - 2016-09-13 03:01 - 000014336 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Window.2\windowplugin.dll
2016-09-13 03:01 - 2016-09-13 03:01 - 000071168 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Layouts\qquicklayoutsplugin.dll
2016-09-13 03:01 - 2016-09-13 03:01 - 000011776 _____ () C:\Program Files\AMD\CNext\CNext\libEGL.dll
2016-09-13 03:01 - 2016-09-13 03:01 - 002013696 _____ () C:\Program Files\AMD\CNext\CNext\libGLESv2.dll
2016-09-13 03:01 - 2016-09-13 03:01 - 000191488 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Dialogs\dialogplugin.dll
2017-11-28 12:22 - 2017-11-28 12:22 - 000210912 _____ () C:\Program Files (x86)\F-Secure\Internet Security\zlib_32.dll
2017-11-28 12:22 - 2017-11-28 12:22 - 000254944 _____ () C:\Program Files (x86)\F-Secure\Internet Security\daas2.dll
2017-05-24 14:40 - 2017-05-24 14:40 - 000033280 _____ () C:\Program Files (x86)\ASUS\Splendid\DetectDisplayDC.dll
2017-04-14 17:45 - 2017-04-14 17:45 - 000125440 _____ () C:\Program Files (x86)\ASUS\Splendid\CCTAdjust.dll
2017-04-14 17:45 - 2017-04-14 17:45 - 000029184 _____ () C:\Program Files (x86)\ASUS\Splendid\VideoEnhance.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2017-03-18 23:03 - 2017-03-18 23:01 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-997193239-2899253090-1109805270-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\sanne\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\sany0076.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{9420E2A5-F769-4248-B7D0-62CCCC753884}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.75.483.0_x86__zpdnekdrzrea0\SpotifyWebHelper.exe
FirewallRules: [{1B26B4E5-69A1-4FC9-904C-44DE4ECFA5B4}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.75.483.0_x86__zpdnekdrzrea0\SpotifyWebHelper.exe
FirewallRules: [{94BD1277-CCAC-4969-9A5B-3F6EEF696023}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.75.483.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{7C7F0AC1-C4CC-45FD-975D-683D9AED0CFE}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.75.483.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{52D25B8D-F9C8-4ABC-9E71-A8B34CF45AED}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.75.483.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{FF01467C-D9FE-4C24-9B29-0F1975E33D12}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.75.483.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{F47CE653-E476-40BD-86A6-C76DB12C175C}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.75.483.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{66F522CE-9003-45EF-947F-3F162ACBD206}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.75.483.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{4A708077-68BE-4668-AF5A-F1D2098B85F4}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.75.483.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{16F88C76-C718-45A6-B433-4E3C7E418288}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.75.483.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [UDP Query User{F7B60D80-A278-4355-A331-132379847562}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe
FirewallRules: [TCP Query User{0B05B8AD-C331-49BD-B56C-CEA6C5276280}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe
FirewallRules: [{D0E97851-07E0-4B61-91C7-10809B44A5D3}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe
FirewallRules: [{7D0E5796-F531-40A2-B0F2-BA70369593FE}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe
FirewallRules: [{6E7A05EB-9781-4359-B7F8-2129E41B070F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{7C8E022C-3A6F-453E-BD45-2576FEBCF605}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/12/2018 11:03:24 AM) (Source: ATIeRecord) (EventID: 16387) (User: )
Description:

Error: (03/05/2018 03:28:36 PM) (Source: MSDTC Client 2) (EventID: 4104) (User: )
Description: Det gick inte att hämta status för klusternoden: .Returnerad felkod: 0x8007085A

Error: (03/05/2018 03:27:49 PM) (Source: ESENT) (EventID: 455) (User: )
Description: mighost (6696,R,0) TILEREPOSITORYS-1-0-0: Felet -1023 (0xfffffc01) inträffade när loggfilen C:\Users\Default\AppData\Local\TileDataLayer\Database\EDB.log öppnades.

Error: (03/05/2018 03:27:31 PM) (Source: MSDTC Client 2) (EventID: 4104) (User: )
Description: Det gick inte att hämta status för klusternoden: .Returnerad felkod: 0x8007085A

Error: (03/05/2018 03:27:31 PM) (Source: MSDTC 2) (EventID: 4104) (User: )
Description: Det gick inte att hämta status för klusternoden: .Returnerad felkod: 0x8007085A

Error: (03/05/2018 03:27:31 PM) (Source: MSDTC Client 2) (EventID: 4104) (User: )
Description: Det gick inte att hämta status för klusternoden: .Returnerad felkod: 0x8007085A


System errors:
=============
Error: (04/12/2018 07:20:47 AM) (Source: DCOM) (EventID: 10016) (User: NT instans)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 och APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 till användaren NT instans\Lokal tjänst SID (S-1-5-19) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (04/12/2018 07:17:48 AM) (Source: DCOM) (EventID: 10016) (User: NT instans)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 och APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 till användaren NT instans\Lokal tjänst SID (S-1-5-19) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (04/12/2018 07:17:48 AM) (Source: DCOM) (EventID: 10016) (User: NT instans)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 och APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 till användaren NT instans\Lokal tjänst SID (S-1-5-19) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (04/12/2018 07:17:48 AM) (Source: DCOM) (EventID: 10016) (User: NT instans)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 och APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 till användaren NT instans\Lokal tjänst SID (S-1-5-19) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (04/12/2018 07:17:48 AM) (Source: DCOM) (EventID: 10016) (User: NT instans)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 och APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 till användaren NT instans\Lokal tjänst SID (S-1-5-19) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (04/11/2018 01:38:14 PM) (Source: DCOM) (EventID: 10016) (User: NT instans)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 och APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 till användaren NT instans\Lokal tjänst SID (S-1-5-19) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (04/11/2018 01:36:20 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: En timeout (30000 ms) inträffade vid väntan på transaktionssvar från tjänsten ClickToRunSvc.

Error: (04/11/2018 01:35:50 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: En timeout (30000 ms) inträffade vid väntan på transaktionssvar från tjänsten ClickToRunSvc.


==================== Memory info ===========================

Processor: AMD A10-9620P RADEON R5, 10 COMPUTE CORES 4C+6G
Percentage of memory in use: 32%
Total physical RAM: 7120.46 MB
Available physical RAM: 4787.45 MB
Total Virtual: 8272.46 MB
Available Virtual: 5528.52 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:118.19 GB) (Free:66.75 GB) NTFS
Drive d: (KINGSTON) (Removable) (Total:14.4 GB) (Free:14.4 GB) FAT32

\\?\Volume{33c400c8-d33b-4072-96c2-22a7c7c2aada}\ (SYSTEM) (Fixed) (Total:0.25 GB) (Free:0.23 GB) FAT32
\\?\Volume{3a3e8770-b52d-44be-98ca-c836baf4209e}\ (RECOVERY) (Fixed) (Total:0.78 GB) (Free:0.41 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 119.2 GB) (Disk ID: 7658A881)

Partition: GPT.

========================================================
Disk: 1 (Size: 14.4 GB) (Disk ID: 2FF51065)
Partition 1: (Active) - (Size=14.4 GB) - (Type=0B)

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 PM

Posted 14 April 2018 - 07:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Tcpip\Parameters: [DhcpNameServer] 82.209.169.71 82.209.169.72
Tcpip\..\Interfaces\{aa3cd9c7-ec94-47d8-8f5a-cbc60955c13f}: [DhcpNameServer] 82.209.169.71 82.209.169.72
BHO: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll => No File
BHO-x32: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll => No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\e10ssaffplg.xpi => not found
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\e10ssaffplg.xpi => not found
S4 mccspsvc; "C:\Program Files\Common Files\McAfee\CSP\2.7.371.0\\McCSPServiceHost.exe" [X]

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/

====

Please post the log and let me know what problem persists with this computer.

#3 Viveca

Viveca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 16 April 2018 - 06:47 AM

Hi,

 

Thanks for your reply.

 

Should I save the code you sent me in a Notepad file and then run it in the Farbar software?

 

Have my browsers been compromised - how do you know?

 

Kind regards,

 

Viveca



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 PM

Posted 16 April 2018 - 07:16 AM



Hi,

Should I save the code you sent me in a Notepad file and then run it in the Farbar software?


Yes, follow my instructions Notpad will open copy the fix in the quote box and save the file as Fixlist.txt.
Place the file in the same folder as the Farbar program run it and click the Fix button.
---

Work with your browsers, if you get any redirects and or issues reset them.

#5 Viveca

Viveca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 20 April 2018 - 07:24 AM

Thanks,

 

Here is the log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Kattis (18-04-2018 17:11:19) Run:1
Running from D:\
Loaded Profiles: Kattis (Available Profiles: Kattis)
Boot Mode: Normal
==============================================

fixlist content:
*****************

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Tcpip\Parameters: [DhcpNameServer] 82.209.169.71 82.209.169.72
Tcpip\..\Interfaces\{aa3cd9c7-ec94-47d8-8f5a-cbc60955c13f}: [DhcpNameServer] 82.209.169.71 82.209.169.72
BHO: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll => No File
BHO-x32: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll => No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\e10ssaffplg.xpi => not found
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\e10ssaffplg.xpi => not found
S4 mccspsvc; "C:\Program Files\Common Files\McAfee\CSP\2.7.371.0\\McCSPServiceHost.exe" [X]

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

End


*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer" => removed successfully
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{aa3cd9c7-ec94-47d8-8f5a-cbc60955c13f}\\DhcpNameServer" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" => removed successfully
"HKLM\Software\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" => removed successfully
"HKLM\Software\Wow6432Node\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" => removed successfully
"HKLM\Software\Classes\PROTOCOLS\Handler\sacore" => removed successfully
"HKLM\Software\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}" => removed successfully
"HKLM\Software\Mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}" => removed successfully
"HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}" => removed successfully
"HKLM\System\CurrentControlSet\Services\mccspsvc" => removed successfully
mccspsvc => service removed successfully

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= IPCONFIG /release =========


Windows IP Configuration

No operation can be performed on Ethernet while it has its media disconnected.
No operation can be performed on Wi-Fi while it has its media disconnected.
No operation can be performed on Anslutning till lokalt n„tverk* 1 while it has its media disconnected.

========= End of CMD: =========


========= IPCONFIG /renew =========


Windows IP Configuration

No operation can be performed on Ethernet while it has its media disconnected.
No operation can be performed on Wi-Fi while it has its media disconnected.
No operation can be performed on Anslutning till lokalt n„tverk* 1 while it has its media disconnected.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10589371 B
Java, Flash, Steam htmlcache => 735 B
Windows/system/drivers => 2040120 B
Edge => 1631098 B
Chrome => 0 B
Firefox => 11451176 B

 

 

When I scan with Malaware bytes I found a PUP.OPTIONAL.TROVI file located in Explorer, should I fix the Explorer browser too?

 

Can you see in the log files if the firewall is working properly?

 

In my Onedrive - Properties - Security I find the username wscsvc, what is that?

 

Kind regards,

 

Viveca



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 PM

Posted 20 April 2018 - 08:04 AM



Hi,

When I scan with Malaware bytes I found a PUP.OPTIONAL.TROVI file located in Explorer, should I fix the Explorer browser too?

Remove the item(s) found by MBAM.

If you have issiues with Internet Explorer reset it.
Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.
===


Can you see in the log files if the firewall is working properly?

This is reported in your Addition.txt log.
Windows Firewall is enabled.
===

In my Onedrive - Properties - Security I find the username wscsvc, what is that?

If you do not have any issues it should be ok.
Check it out.
http://www.systemlookup.com/O23/5529-svchost_exe_wscsvc_dll.html

===

Any remaining issues with this computer?

#7 Viveca

Viveca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 21 April 2018 - 05:24 AM

No remaining issues.

 

Many thanks for helping me out! :thumbup2:

 

Viveca



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 PM

Posted 21 April 2018 - 06:58 AM

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#9 Viveca

Viveca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 23 April 2018 - 05:55 AM

Thanks,

 

I have one more question. :-)

 

What do you think caused the changes that had been made in Firefox?

 

Was it the Trovi file in Explorer, or something else?

 

Kind regards,

 

Viveca



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 PM

Posted 23 April 2018 - 08:32 AM

Hi,

I do not know what Malwarebytes found about Trovi but it's malware and you did well in removing it.

---

Something changed your Name servier and was the cause of the internet not working correctly.
Tcpip\Parameters: [DhcpNameServer] 82.209.169.71 82.209.169.72
It was removed.

---

Keep safe!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users